1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/systm.h> 30 #include <sys/stream.h> 31 #include <sys/cmn_err.h> 32 #include <sys/md5.h> 33 #include <sys/kmem.h> 34 #include <sys/strsubr.h> 35 #include <sys/random.h> 36 #include <sys/tsol/tnet.h> 37 38 #include <netinet/in.h> 39 #include <netinet/ip6.h> 40 41 #include <inet/common.h> 42 #include <inet/ip.h> 43 #include <inet/ip6.h> 44 #include <inet/sctp_ip.h> 45 #include <inet/ipclassifier.h> 46 #include "sctp_impl.h" 47 48 /* 49 * Helper function for SunCluster (PSARC/2005/602) to get the original source 50 * address from the COOKIE 51 */ 52 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *); 53 54 /* 55 * From RFC 2104. This should probably go into libmd5 (and while 56 * we're at it, maybe we should make a libdigest so we can later 57 * add SHA1 and others, esp. since some weaknesses have been found 58 * with MD5). 59 * 60 * text IN pointer to data stream 61 * text_len IN length of data stream 62 * key IN pointer to authentication key 63 * key_len IN length of authentication key 64 * digest OUT caller digest to be filled in 65 */ 66 static void 67 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len, 68 uchar_t *digest) 69 { 70 MD5_CTX context; 71 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */ 72 uchar_t k_opad[65]; /* outer padding - key XORd with opad */ 73 uchar_t tk[16]; 74 int i; 75 76 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 77 if (key_len > 64) { 78 MD5_CTX tctx; 79 80 MD5Init(&tctx); 81 MD5Update(&tctx, key, key_len); 82 MD5Final(tk, &tctx); 83 84 key = tk; 85 key_len = 16; 86 } 87 88 /* 89 * the HMAC_MD5 transform looks like: 90 * 91 * MD5(K XOR opad, MD5(K XOR ipad, text)) 92 * 93 * where K is an n byte key 94 * ipad is the byte 0x36 repeated 64 times 95 * opad is the byte 0x5c repeated 64 times 96 * and text is the data being protected 97 */ 98 99 /* start out by storing key in pads */ 100 bzero(k_ipad, sizeof (k_ipad)); 101 bzero(k_opad, sizeof (k_opad)); 102 bcopy(key, k_ipad, key_len); 103 bcopy(key, k_opad, key_len); 104 105 /* XOR key with ipad and opad values */ 106 for (i = 0; i < 64; i++) { 107 k_ipad[i] ^= 0x36; 108 k_opad[i] ^= 0x5c; 109 } 110 /* 111 * perform inner MD5 112 */ 113 MD5Init(&context); /* init context for 1st */ 114 /* pass */ 115 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 116 MD5Update(&context, text, text_len); /* then text of datagram */ 117 MD5Final(digest, &context); /* finish up 1st pass */ 118 /* 119 * perform outer MD5 120 */ 121 MD5Init(&context); /* init context for 2nd */ 122 /* pass */ 123 MD5Update(&context, k_opad, 64); /* start with outer pad */ 124 MD5Update(&context, digest, 16); /* then results of 1st */ 125 /* hash */ 126 MD5Final(digest, &context); /* finish up 2nd pass */ 127 } 128 129 /* 130 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP 131 * info in initmp to send the abort. Otherwise, no abort will be sent. 132 * If errmp is non-NULL, a chain of unrecognized parameters will 133 * be created and returned via *errmp. 134 * 135 * Returns 1 if the parameters are OK (or there are no parameters), or 136 * 0 if not. 137 */ 138 static int 139 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch, 140 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie, 141 mblk_t **errmp, int *supp_af, uint_t *sctp_options) 142 { 143 sctp_parm_hdr_t *cph; 144 sctp_init_chunk_t *ic; 145 ssize_t remaining; 146 uint16_t serror = 0; 147 char *details = NULL; 148 size_t errlen = 0; 149 boolean_t got_cookie = B_FALSE; 150 uint16_t ptype; 151 152 if (sctp_options != NULL) 153 *sctp_options = 0; 154 155 /* First validate stream parameters */ 156 if (init->sic_instr == 0 || init->sic_outstr == 0) { 157 serror = SCTP_ERR_BAD_MANDPARM; 158 dprint(1, 159 ("validate_init_params: bad sid, is=%d os=%d\n", 160 htons(init->sic_instr), htons(init->sic_outstr))); 161 goto abort; 162 } 163 if (ntohl(init->sic_inittag) == 0) { 164 serror = SCTP_ERR_BAD_MANDPARM; 165 dprint(1, ("validate_init_params: inittag = 0\n")); 166 goto abort; 167 } 168 169 remaining = ntohs(ch->sch_len) - sizeof (*ch); 170 ic = (sctp_init_chunk_t *)(ch + 1); 171 remaining -= sizeof (*ic); 172 if (remaining < sizeof (*cph)) { 173 /* Nothing to validate */ 174 if (want_cookie != NULL) 175 goto cookie_abort; 176 return (1); 177 } 178 179 cph = (sctp_parm_hdr_t *)(ic + 1); 180 181 while (cph != NULL) { 182 ptype = ntohs(cph->sph_type); 183 switch (ptype) { 184 case PARM_HBINFO: 185 case PARM_UNRECOGNIZED: 186 case PARM_ECN: 187 /* just ignore them */ 188 break; 189 case PARM_FORWARD_TSN: 190 if (sctp_options != NULL) 191 *sctp_options |= SCTP_PRSCTP_OPTION; 192 break; 193 case PARM_COOKIE: 194 got_cookie = B_TRUE; 195 if (want_cookie != NULL) { 196 *want_cookie = cph; 197 } 198 break; 199 case PARM_ADDR4: 200 *supp_af |= PARM_SUPP_V4; 201 break; 202 case PARM_ADDR6: 203 *supp_af |= PARM_SUPP_V6; 204 break; 205 case PARM_COOKIE_PRESERVE: 206 case PARM_ADAPT_LAYER_IND: 207 /* These are OK */ 208 break; 209 case PARM_ADDR_HOST_NAME: 210 /* Don't support this; abort the association */ 211 serror = SCTP_ERR_BAD_ADDR; 212 details = (char *)cph; 213 errlen = ntohs(cph->sph_len); 214 dprint(1, ("sctp:validate_init_params: host addr\n")); 215 goto abort; 216 case PARM_SUPP_ADDRS: { 217 /* Make sure we have a supported addr intersection */ 218 uint16_t *p, addrtype; 219 int plen; 220 221 plen = ntohs(cph->sph_len); 222 p = (uint16_t *)(cph + 1); 223 while (plen > 0) { 224 addrtype = ntohs(*p); 225 switch (addrtype) { 226 case PARM_ADDR6: 227 *supp_af |= PARM_SUPP_V6; 228 break; 229 case PARM_ADDR4: 230 *supp_af |= PARM_SUPP_V4; 231 break; 232 default: 233 /* 234 * Do nothing, silently ignore hostname 235 * address. 236 */ 237 break; 238 } 239 p++; 240 plen -= sizeof (*p); 241 } 242 break; 243 } 244 default: 245 /* Unrecognized param; check the high order bits */ 246 if ((ptype & 0xc000) == 0xc000) { 247 /* 248 * report unrecognized param, and 249 * keep processing 250 */ 251 if (errmp != NULL) { 252 if (want_cookie != NULL) { 253 *errmp = sctp_make_err(sctp, 254 PARM_UNRECOGNIZED, 255 (void *)cph, 256 ntohs(cph->sph_len)); 257 } else { 258 sctp_add_unrec_parm(cph, errmp); 259 } 260 } 261 break; 262 } 263 if (ptype & 0x4000) { 264 /* 265 * Stop processing and drop; report 266 * unrecognized param 267 */ 268 serror = SCTP_ERR_UNREC_PARM; 269 details = (char *)cph; 270 errlen = ntohs(cph->sph_len); 271 goto abort; 272 } 273 if (ptype & 0x8000) { 274 /* skip and continue processing */ 275 break; 276 } 277 278 /* 279 * 2 high bits are clear; stop processing and 280 * drop packet 281 */ 282 return (0); 283 } 284 285 cph = sctp_next_parm(cph, &remaining); 286 } 287 /* 288 * Some sanity checks. The following should not fail unless the 289 * other side is broken. 290 * 291 * 1. If this is a V4 endpoint but V4 address is not 292 * supported, abort. 293 * 2. If this is a V6 only endpoint but V6 address is 294 * not supported, abort. This assumes that a V6 295 * endpoint can use both V4 and V6 addresses. 296 * We only care about supp_af when processing INIT, i.e want_cookie 297 * is NULL. 298 */ 299 if (want_cookie == NULL && 300 ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) || 301 (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) && 302 sctp->sctp_connp->conn_ipv6_v6only))) { 303 dprint(1, ("sctp:validate_init_params: supp addr\n")); 304 serror = SCTP_ERR_BAD_ADDR; 305 goto abort; 306 } 307 308 if (want_cookie != NULL && !got_cookie) { 309 cookie_abort: 310 dprint(1, ("validate_init_params: cookie absent\n")); 311 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM, 312 details, errlen, inmp, 0, B_FALSE); 313 return (0); 314 } 315 316 /* OK */ 317 return (1); 318 319 abort: 320 if (want_cookie != NULL) 321 return (0); 322 323 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details, 324 errlen, inmp, 0, B_FALSE); 325 return (0); 326 } 327 328 /* 329 * Initialize params from the INIT and INIT-ACK when the assoc. is 330 * established. 331 */ 332 boolean_t 333 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init, 334 sctp_init_chunk_t *iack) 335 { 336 /* Get initial TSN */ 337 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 338 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 339 340 /* Serial number is initialized to the same value as the TSN */ 341 sctp->sctp_fcsn = sctp->sctp_lastacked; 342 343 /* 344 * Get verification tags; no byteordering is necessary, since 345 * verfication tags are never processed except for byte-by-byte 346 * comparisons. 347 */ 348 sctp->sctp_fvtag = init->sic_inittag; 349 sctp->sctp_sctph->sh_verf = init->sic_inittag; 350 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 351 sctp->sctp_lvtag = iack->sic_inittag; 352 353 /* Get the peer's rwnd */ 354 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 355 356 /* Allocate the in/out-stream counters */ 357 sctp->sctp_num_ostr = iack->sic_outstr; 358 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 359 sctp->sctp_num_ostr, KM_NOSLEEP); 360 if (sctp->sctp_ostrcntrs == NULL) 361 return (B_FALSE); 362 363 sctp->sctp_num_istr = iack->sic_instr; 364 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 365 sctp->sctp_num_istr, KM_NOSLEEP); 366 if (sctp->sctp_instr == NULL) { 367 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 368 sctp->sctp_num_ostr); 369 sctp->sctp_ostrcntrs = NULL; 370 return (B_FALSE); 371 } 372 return (B_TRUE); 373 } 374 375 /* 376 * Copy the peer's original source address into addr. This relies on the 377 * following format (see sctp_send_initack() below): 378 * relative timestamp for the cookie (int64_t) + 379 * cookie lifetime (uint32_t) + 380 * local tie-tag (uint32_t) + peer tie-tag (uint32_t) + 381 * Peer's original src ... 382 */ 383 int 384 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr) 385 { 386 uchar_t *off; 387 388 ASSERT(addr != NULL); 389 390 if (ch->sch_id != CHUNK_COOKIE) 391 return (EINVAL); 392 393 off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) + 394 sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t); 395 396 bcopy(off, addr, sizeof (*addr)); 397 398 return (0); 399 } 400 401 #define SCTP_CALC_COOKIE_LEN(initcp) \ 402 sizeof (int64_t) + /* timestamp */ \ 403 sizeof (uint32_t) + /* cookie lifetime */ \ 404 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \ 405 sizeof (in6_addr_t) + /* peer's original source */ \ 406 ntohs((initcp)->sch_len) + /* peer's INIT */ \ 407 sizeof (uint32_t) + /* local tie-tag */ \ 408 sizeof (uint32_t) + /* peer tie-tag */ \ 409 sizeof (sctp_parm_hdr_t) + /* param header */ \ 410 16 /* MD5 hash */ 411 412 void 413 sctp_send_initack(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *initmp) 414 { 415 ipha_t *initiph; 416 ip6_t *initip6h; 417 ipha_t *iackiph; 418 ip6_t *iackip6h; 419 sctp_chunk_hdr_t *iack_ch; 420 sctp_init_chunk_t *iack; 421 sctp_init_chunk_t *init; 422 sctp_hdr_t *iacksh; 423 sctp_hdr_t *initsh; 424 size_t cookielen; 425 size_t iacklen; 426 size_t ipsctplen; 427 size_t errlen = 0; 428 sctp_parm_hdr_t *cookieph; 429 mblk_t *iackmp; 430 uint32_t itag; 431 uint32_t itsn; 432 int64_t *now; 433 int64_t nowt; 434 uint32_t *lifetime; 435 char *p; 436 boolean_t isv4; 437 int supp_af = 0; 438 uint_t sctp_options; 439 uint32_t *ttag; 440 int pad; 441 mblk_t *errmp = NULL; 442 boolean_t initcollision = B_FALSE; 443 boolean_t linklocal = B_FALSE; 444 cred_t *cr; 445 446 BUMP_LOCAL(sctp->sctp_ibchunks); 447 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION); 448 449 /* Extract the INIT chunk */ 450 if (isv4) { 451 initiph = (ipha_t *)initmp->b_rptr; 452 initsh = (sctp_hdr_t *)((char *)initiph + 453 IPH_HDR_LENGTH(initmp->b_rptr)); 454 ipsctplen = sctp->sctp_ip_hdr_len; 455 supp_af |= PARM_SUPP_V4; 456 } else { 457 initip6h = (ip6_t *)initmp->b_rptr; 458 initsh = (sctp_hdr_t *)(initip6h + 1); 459 ipsctplen = sctp->sctp_ip_hdr6_len; 460 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src)) 461 linklocal = B_TRUE; 462 supp_af |= PARM_SUPP_V6; 463 } 464 ASSERT(OK_32PTR(initsh)); 465 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch)); 466 467 /* Make sure we like the peer's parameters */ 468 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp, 469 &supp_af, &sctp_options) == 0) { 470 return; 471 } 472 if (errmp != NULL) 473 errlen = msgdsize(errmp); 474 if (sctp->sctp_family == AF_INET) { 475 /* 476 * Irregardless of the supported address in the INIT, v4 477 * must be supported. 478 */ 479 supp_af = PARM_SUPP_V4; 480 } 481 if (sctp->sctp_state <= SCTPS_LISTEN) { 482 /* normal, expected INIT: generate new vtag and itsn */ 483 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 484 if (itag == 0) 485 itag = (uint32_t)gethrtime(); 486 itsn = itag + 1; 487 itag = htonl(itag); 488 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT || 489 sctp->sctp_state == SCTPS_COOKIE_ECHOED) { 490 /* init collision; copy vtag and itsn from sctp */ 491 itag = sctp->sctp_lvtag; 492 itsn = sctp->sctp_ltsn; 493 /* 494 * In addition we need to send all the params that was sent 495 * in our INIT chunk. Essentially, it is only the supported 496 * address params that we need to add. 497 */ 498 initcollision = B_TRUE; 499 /* 500 * When we sent the INIT, we should have set linklocal in 501 * the sctp which should be good enough. 502 */ 503 if (linklocal) 504 linklocal = B_FALSE; 505 } else { 506 /* peer restart; generate new vtag but keep everything else */ 507 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 508 if (itag == 0) 509 itag = (uint32_t)gethrtime(); 510 itag = htonl(itag); 511 itsn = sctp->sctp_ltsn; 512 } 513 514 /* 515 * Allocate a mblk for the INIT ACK, consisting of the link layer 516 * header, the IP header, the SCTP common header, and INIT ACK chunk, 517 * and finally the COOKIE parameter. 518 */ 519 cookielen = SCTP_CALC_COOKIE_LEN(ch); 520 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen; 521 if (sctp->sctp_send_adaption) 522 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t)); 523 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 524 sctp->sctp_prsctp_aware && sctp_prsctp_enabled) { 525 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION); 526 } 527 if (initcollision) 528 iacklen += sctp_supaddr_param_len(sctp); 529 if (!linklocal) 530 iacklen += sctp_addr_params_len(sctp, supp_af, B_FALSE); 531 ipsctplen += sizeof (*iacksh) + iacklen; 532 iacklen += errlen; 533 if ((pad = ipsctplen % 4) != 0) { 534 pad = 4 - pad; 535 ipsctplen += pad; 536 } 537 iackmp = allocb_cred(ipsctplen + sctp_wroff_xtra, 538 CONN_CRED(sctp->sctp_connp)); 539 if (iackmp == NULL) { 540 sctp_send_abort(sctp, sctp_init2vtag(ch), 541 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 542 return; 543 } 544 545 /* Copy in the [imcomplete] IP/SCTP composite header */ 546 p = (char *)(iackmp->b_rptr + sctp_wroff_xtra); 547 iackmp->b_rptr = (uchar_t *)p; 548 if (isv4) { 549 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len); 550 iackiph = (ipha_t *)p; 551 552 /* Copy the peer's IP addr */ 553 iackiph->ipha_dst = initiph->ipha_src; 554 iackiph->ipha_src = initiph->ipha_dst; 555 iackiph->ipha_length = htons(ipsctplen + errlen); 556 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len); 557 } else { 558 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len); 559 iackip6h = (ip6_t *)p; 560 561 /* Copy the peer's IP addr */ 562 iackip6h->ip6_dst = initip6h->ip6_src; 563 iackip6h->ip6_src = initip6h->ip6_dst; 564 iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) + 565 errlen); 566 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len); 567 } 568 ASSERT(OK_32PTR(iacksh)); 569 570 /* Fill in the holes in the SCTP common header */ 571 iacksh->sh_sport = initsh->sh_dport; 572 iacksh->sh_dport = initsh->sh_sport; 573 iacksh->sh_verf = init->sic_inittag; 574 575 /* INIT ACK chunk header */ 576 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1); 577 iack_ch->sch_id = CHUNK_INIT_ACK; 578 iack_ch->sch_flags = 0; 579 iack_ch->sch_len = htons(iacklen); 580 581 /* The INIT ACK itself */ 582 iack = (sctp_init_chunk_t *)(iack_ch + 1); 583 iack->sic_inittag = itag; /* already in network byteorder */ 584 iack->sic_inittsn = htonl(itsn); 585 586 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd); 587 /* Advertise what we would want to have as stream #'s */ 588 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr, 589 ntohs(init->sic_instr))); 590 iack->sic_instr = htons(sctp->sctp_num_istr); 591 592 p = (char *)(iack + 1); 593 p += sctp_adaption_code_param(sctp, (uchar_t *)p); 594 if (initcollision) 595 p += sctp_supaddr_param(sctp, (uchar_t *)p); 596 if (!linklocal) 597 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p); 598 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 599 sctp->sctp_prsctp_aware && sctp_prsctp_enabled) { 600 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION); 601 } 602 /* 603 * Generate and lay in the COOKIE parameter. 604 * 605 * Any change here that results in a change of location for 606 * the peer's orig source address must be propagated to the fn 607 * cl_sctp_cookie_paddr() above. 608 * 609 * The cookie consists of: 610 * 1. The relative timestamp for the cookie (lbolt64) 611 * 2. The cookie lifetime (uint32_t) in tick 612 * 3. The local tie-tag 613 * 4. The peer tie-tag 614 * 5. Peer's original src, used to confirm the validity of address. 615 * 6. Our INIT ACK chunk, less any parameters 616 * 7. The INIT chunk (may contain parameters) 617 * 8. 128-bit MD5 signature. 618 * 619 * Since the timestamp values will only be evaluated locally, we 620 * don't need to worry about byte-ordering them. 621 */ 622 cookieph = (sctp_parm_hdr_t *)p; 623 cookieph->sph_type = htons(PARM_COOKIE); 624 cookieph->sph_len = htons(cookielen); 625 626 /* timestamp */ 627 now = (int64_t *)(cookieph + 1); 628 nowt = lbolt64; 629 bcopy(&nowt, now, sizeof (*now)); 630 631 /* cookie lifetime -- need configuration */ 632 lifetime = (uint32_t *)(now + 1); 633 *lifetime = sctp->sctp_cookie_lifetime; 634 635 /* Set the tie-tags */ 636 ttag = (uint32_t *)(lifetime + 1); 637 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) { 638 *ttag = 0; 639 ttag++; 640 *ttag = 0; 641 ttag++; 642 } else { 643 /* local tie-tag (network byte-order) */ 644 *ttag = sctp->sctp_lvtag; 645 ttag++; 646 /* peer tie-tag (network byte-order) */ 647 *ttag = sctp->sctp_fvtag; 648 ttag++; 649 } 650 /* 651 * Copy in peer's original source address so that we can confirm 652 * the reachability later. 653 */ 654 p = (char *)ttag; 655 if (isv4) { 656 in6_addr_t peer_addr; 657 658 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr); 659 bcopy(&peer_addr, p, sizeof (in6_addr_t)); 660 } else { 661 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t)); 662 } 663 p += sizeof (in6_addr_t); 664 /* Copy in our INIT ACK chunk */ 665 bcopy(iack, p, sizeof (*iack)); 666 iack = (sctp_init_chunk_t *)p; 667 /* Set the # of streams we'll end up using */ 668 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr)); 669 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr)); 670 p += sizeof (*iack); 671 672 /* Copy in the peer's INIT chunk */ 673 bcopy(ch, p, ntohs(ch->sch_len)); 674 p += ntohs(ch->sch_len); 675 676 /* 677 * Calculate the HMAC ICV into the digest slot in buf. 678 * First, generate a new secret if the current secret is 679 * older than the new secret lifetime parameter permits, 680 * copying the current secret to sctp_old_secret. 681 */ 682 if (sctp_new_secret_interval > 0 && 683 (sctp->sctp_last_secret_update + 684 MSEC_TO_TICK(sctp_new_secret_interval)) <= nowt) { 685 bcopy(sctp->sctp_secret, sctp->sctp_old_secret, 686 SCTP_SECRET_LEN); 687 (void) random_get_pseudo_bytes(sctp->sctp_secret, 688 SCTP_SECRET_LEN); 689 sctp->sctp_last_secret_update = nowt; 690 } 691 692 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16, 693 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p); 694 695 iackmp->b_wptr = iackmp->b_rptr + ipsctplen; 696 iackmp->b_cont = errmp; /* OK if NULL */ 697 698 if (is_system_labeled() && (cr = DB_CRED(initmp)) != NULL && 699 crgetlabel(cr) != NULL) { 700 conn_t *connp = sctp->sctp_connp; 701 int err, adjust; 702 703 if (isv4) 704 err = tsol_check_label(cr, &iackmp, &adjust, 705 connp->conn_mac_exempt); 706 else 707 err = tsol_check_label_v6(cr, &iackmp, &adjust, 708 connp->conn_mac_exempt); 709 if (err != 0) { 710 sctp_send_abort(sctp, sctp_init2vtag(ch), 711 SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE); 712 freemsg(iackmp); 713 return; 714 } 715 if (isv4) { 716 iackiph = (ipha_t *)iackmp->b_rptr; 717 adjust += ntohs(iackiph->ipha_length); 718 iackiph->ipha_length = htons(adjust); 719 } 720 } 721 722 /* 723 * Stash the conn ptr info. for IP only as e don't have any 724 * cached IRE. 725 */ 726 SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL); 727 728 /* XXX sctp == sctp_g_q, so using its obchunks is valid */ 729 BUMP_LOCAL(sctp->sctp_opkts); 730 BUMP_LOCAL(sctp->sctp_obchunks); 731 732 /* OK to call IP_PUT() here instead of sctp_add_sendq(). */ 733 CONN_INC_REF(sctp->sctp_connp); 734 iackmp->b_flag |= MSGHASREF; 735 IP_PUT(iackmp, sctp->sctp_connp, isv4); 736 } 737 738 void 739 sctp_send_cookie_ack(sctp_t *sctp) 740 { 741 sctp_chunk_hdr_t *cach; 742 mblk_t *camp; 743 744 camp = sctp_make_mp(sctp, NULL, sizeof (*cach)); 745 if (camp == NULL) { 746 /* XXX should abort, but don't have the inmp anymore */ 747 return; 748 } 749 750 cach = (sctp_chunk_hdr_t *)camp->b_wptr; 751 camp->b_wptr = (uchar_t *)(cach + 1); 752 cach->sch_id = CHUNK_COOKIE_ACK; 753 cach->sch_flags = 0; 754 cach->sch_len = htons(sizeof (*cach)); 755 756 sctp_set_iplen(sctp, camp); 757 758 BUMP_LOCAL(sctp->sctp_obchunks); 759 760 sctp_add_sendq(sctp, camp); 761 } 762 763 static int 764 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaption_code) 765 { 766 767 if (len < sizeof (*sph)) 768 return (-1); 769 while (sph != NULL) { 770 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) && 771 ntohs(sph->sph_len) >= (sizeof (*sph) + 772 sizeof (uint32_t))) { 773 *adaption_code = *(uint32_t *)(sph + 1); 774 return (0); 775 } 776 sph = sctp_next_parm(sph, &len); 777 } 778 return (-1); 779 } 780 781 void 782 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp) 783 { 784 mblk_t *cemp; 785 mblk_t *mp = NULL; 786 mblk_t *head; 787 mblk_t *meta; 788 sctp_faddr_t *fp; 789 sctp_chunk_hdr_t *cech; 790 sctp_init_chunk_t *iack; 791 int32_t cansend; 792 int32_t seglen; 793 size_t ceclen; 794 sctp_parm_hdr_t *cph; 795 sctp_data_hdr_t *sdc; 796 sctp_tf_t *tf; 797 int pad = 0; 798 int hdrlen; 799 mblk_t *errmp = NULL; 800 uint_t sctp_options; 801 int error; 802 uint16_t old_num_str; 803 804 iack = (sctp_init_chunk_t *)(iackch + 1); 805 806 cph = NULL; 807 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp, 808 &pad, &sctp_options) == 0) { /* result in 'pad' ignored */ 809 BUMP_MIB(&sctp_mib, sctpAborted); 810 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL); 811 sctp_clean_death(sctp, ECONNABORTED); 812 return; 813 } 814 ASSERT(cph != NULL); 815 816 ASSERT(sctp->sctp_cookie_mp == NULL); 817 818 /* Got a cookie to echo back; allocate an mblk */ 819 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph); 820 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0) 821 pad = SCTP_ALIGN - pad; 822 823 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION) 824 hdrlen = sctp->sctp_hdr_len; 825 else 826 hdrlen = sctp->sctp_hdr6_len; 827 828 cemp = allocb(sctp_wroff_xtra + hdrlen + ceclen + pad, BPRI_MED); 829 if (cemp == NULL) { 830 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 831 sctp->sctp_current->rto); 832 if (errmp != NULL) 833 freeb(errmp); 834 return; 835 } 836 cemp->b_rptr += (sctp_wroff_xtra + hdrlen); 837 838 /* Process the INIT ACK */ 839 sctp->sctp_sctph->sh_verf = iack->sic_inittag; 840 sctp->sctp_sctph6->sh_verf = iack->sic_inittag; 841 sctp->sctp_fvtag = iack->sic_inittag; 842 sctp->sctp_ftsn = ntohl(iack->sic_inittsn); 843 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 844 sctp->sctp_fcsn = sctp->sctp_lastacked; 845 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd); 846 847 /* 848 * Populate sctp with addresses given in the INIT ACK or IP header. 849 * Need to set the df bit in the current fp as it has been cleared 850 * in sctp_connect(). 851 */ 852 sctp->sctp_current->df = B_TRUE; 853 /* 854 * Since IP uses this info during the fanout process, we need to hold 855 * the lock for this hash line while performing this operation. 856 */ 857 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctp->sctp_ports); */ 858 ASSERT(sctp->sctp_conn_tfp != NULL); 859 tf = sctp->sctp_conn_tfp; 860 /* sctp isn't a listener so only need to hold conn fanout lock */ 861 mutex_enter(&tf->tf_lock); 862 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) { 863 mutex_exit(&tf->tf_lock); 864 freeb(cemp); 865 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 866 sctp->sctp_current->rto); 867 if (errmp != NULL) 868 freeb(errmp); 869 return; 870 } 871 mutex_exit(&tf->tf_lock); 872 873 fp = sctp->sctp_current; 874 875 /* 876 * There could be a case when we get an INIT-ACK again, if the INIT 877 * is re-transmitted, for e.g., which means we would have already 878 * allocated this resource earlier (also for sctp_instr). In this 879 * case we check and re-allocate, if necessary. 880 */ 881 old_num_str = sctp->sctp_num_ostr; 882 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr) 883 sctp->sctp_num_ostr = ntohs(iack->sic_instr); 884 if (sctp->sctp_ostrcntrs == NULL) { 885 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 886 sctp->sctp_num_ostr, KM_NOSLEEP); 887 } else { 888 ASSERT(old_num_str > 0); 889 if (old_num_str != sctp->sctp_num_ostr) { 890 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 891 old_num_str); 892 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 893 sctp->sctp_num_ostr, KM_NOSLEEP); 894 } 895 } 896 if (sctp->sctp_ostrcntrs == NULL) { 897 freeb(cemp); 898 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 899 if (errmp != NULL) 900 freeb(errmp); 901 return; 902 } 903 904 /* 905 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs 906 * hold here too. 907 */ 908 old_num_str = sctp->sctp_num_istr; 909 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr) 910 sctp->sctp_num_istr = ntohs(iack->sic_outstr); 911 if (sctp->sctp_instr == NULL) { 912 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 913 sctp->sctp_num_istr, KM_NOSLEEP); 914 } else { 915 ASSERT(old_num_str > 0); 916 if (old_num_str != sctp->sctp_num_istr) { 917 kmem_free(sctp->sctp_instr, 918 sizeof (*sctp->sctp_instr) * old_num_str); 919 sctp->sctp_instr = kmem_zalloc( 920 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr, 921 KM_NOSLEEP); 922 } 923 } 924 if (sctp->sctp_instr == NULL) { 925 kmem_free(sctp->sctp_ostrcntrs, 926 sizeof (uint16_t) * sctp->sctp_num_ostr); 927 freeb(cemp); 928 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 929 if (errmp != NULL) 930 freeb(errmp); 931 return; 932 } 933 934 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware) 935 sctp->sctp_prsctp_aware = B_FALSE; 936 937 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1), 938 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)), 939 &sctp->sctp_rx_adaption_code) == 0) { 940 sctp->sctp_recv_adaption = 1; 941 } 942 943 cech = (sctp_chunk_hdr_t *)cemp->b_rptr; 944 ASSERT(OK_32PTR(cech)); 945 cech->sch_id = CHUNK_COOKIE; 946 cech->sch_flags = 0; 947 cech->sch_len = htons(ceclen); 948 949 /* Copy the cookie (less the parm hdr) to the chunk */ 950 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph)); 951 952 cemp->b_wptr = cemp->b_rptr + ceclen; 953 954 if (sctp->sctp_unsent > 0) { 955 sctp_msg_hdr_t *smh; 956 mblk_t *prev = NULL; 957 uint32_t unsent = 0; 958 959 mp = sctp->sctp_xmit_unsent; 960 do { 961 smh = (sctp_msg_hdr_t *)mp->b_rptr; 962 if (smh->smh_sid >= sctp->sctp_num_ostr) { 963 unsent += smh->smh_msglen; 964 if (prev != NULL) 965 prev->b_next = mp->b_next; 966 else 967 sctp->sctp_xmit_unsent = mp->b_next; 968 mp->b_next = NULL; 969 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID, 970 B_FALSE); 971 if (prev != NULL) 972 mp = prev->b_next; 973 else 974 mp = sctp->sctp_xmit_unsent; 975 } else { 976 prev = mp; 977 mp = mp->b_next; 978 } 979 } while (mp != NULL); 980 if (unsent > 0) { 981 ASSERT(sctp->sctp_unsent >= unsent); 982 sctp->sctp_unsent -= unsent; 983 /* 984 * Update ULP the amount of queued data, which is 985 * sent-unack'ed + unsent. 986 * This is not necessary, but doesn't harm, we 987 * just use unsent instead of sent-unack'ed + 988 * unsent, since there won't be any sent-unack'ed 989 * here. 990 */ 991 if (!SCTP_IS_DETACHED(sctp)) { 992 sctp->sctp_ulp_xmitted(sctp->sctp_ulpd, 993 sctp->sctp_unsent); 994 } 995 } 996 if (sctp->sctp_xmit_unsent == NULL) 997 sctp->sctp_xmit_unsent_tail = NULL; 998 } 999 ceclen += pad; 1000 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd); 1001 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen, 1002 cansend, NULL); 1003 /* 1004 * The error cannot be anything else since we could have an non-zero 1005 * error only if sctp_get_msg_to_send() tries to send a Forward 1006 * TSN which will not happen here. 1007 */ 1008 ASSERT(error == 0); 1009 if (meta == NULL) 1010 goto sendcookie; 1011 sctp->sctp_xmit_tail = meta; 1012 sdc = (sctp_data_hdr_t *)mp->b_rptr; 1013 seglen = ntohs(sdc->sdh_len); 1014 if ((ceclen + seglen) > fp->sfa_pmss || 1015 (seglen - sizeof (*sdc)) > cansend) { 1016 goto sendcookie; 1017 } 1018 /* OK, if this fails */ 1019 cemp->b_cont = dupmsg(mp); 1020 sendcookie: 1021 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL); 1022 if (head == NULL) { 1023 freemsg(cemp); 1024 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1025 if (errmp != NULL) 1026 freeb(errmp); 1027 return; 1028 } 1029 /* 1030 * Even if cookie-echo exceeds MTU for one of the hops, it'll 1031 * have a chance of getting there. 1032 */ 1033 if (fp->isv4) { 1034 ipha_t *iph = (ipha_t *)head->b_rptr; 1035 iph->ipha_fragment_offset_and_flags = 0; 1036 } 1037 BUMP_LOCAL(sctp->sctp_obchunks); 1038 1039 sctp->sctp_cookie_mp = dupmsg(head); 1040 /* Don't bundle, we will just resend init if this cookie is lost. */ 1041 if (sctp->sctp_cookie_mp == NULL) { 1042 if (cemp->b_cont != NULL) { 1043 freemsg(cemp->b_cont); 1044 cemp->b_cont = NULL; 1045 } 1046 } else if (cemp->b_cont != NULL) { 1047 ASSERT(mp != NULL && mp == meta->b_cont); 1048 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont); 1049 cemp->b_wptr += pad; 1050 seglen -= sizeof (*sdc); 1051 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta); 1052 } 1053 if (errmp != NULL) 1054 linkb(head, errmp); 1055 sctp->sctp_state = SCTPS_COOKIE_ECHOED; 1056 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1057 1058 sctp_set_iplen(sctp, head); 1059 sctp_add_sendq(sctp, head); 1060 } 1061 1062 int 1063 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp, 1064 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaption, 1065 in6_addr_t *peer_addr) 1066 { 1067 int32_t clen; 1068 size_t initplen; 1069 uchar_t *p; 1070 uchar_t *given_hash; 1071 uchar_t needed_hash[16]; 1072 int64_t ts; 1073 int64_t diff; 1074 uint32_t *lt; 1075 sctp_init_chunk_t *iack; 1076 sctp_chunk_hdr_t *initch; 1077 sctp_init_chunk_t *init; 1078 uint32_t *lttag; 1079 uint32_t *fttag; 1080 uint32_t ports; 1081 1082 BUMP_LOCAL(sctp->sctp_ibchunks); 1083 /* Verify the ICV */ 1084 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16; 1085 if (clen < 0) { 1086 dprint(1, ("invalid cookie chunk length %d\n", 1087 ntohs(ch->sch_len))); 1088 1089 return (-1); 1090 } 1091 p = (uchar_t *)(ch + 1); 1092 1093 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, 1094 needed_hash); 1095 1096 /* The given hash follows the cookie data */ 1097 given_hash = p + clen; 1098 1099 if (bcmp(given_hash, needed_hash, 16) != 0) { 1100 /* The secret may have changed; try the old secret */ 1101 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret, 1102 SCTP_SECRET_LEN, needed_hash); 1103 if (bcmp(given_hash, needed_hash, 16) != 0) { 1104 return (-1); 1105 } 1106 } 1107 1108 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */ 1109 bcopy(p, &ts, sizeof (ts)); 1110 /* Cookie life time, int32_t */ 1111 lt = (uint32_t *)(p + sizeof (ts)); 1112 1113 /* 1114 * To quote PRC, "this is our baby", so let's continue. 1115 * We need to pull out the encapsulated INIT ACK and 1116 * INIT chunks. Note that we don't process these until 1117 * we have verified the timestamp, but we need them before 1118 * processing the timestamp since if the time check fails, 1119 * we need to get the verification tag from the INIT in order 1120 * to send a stale cookie error. 1121 */ 1122 lttag = (uint32_t *)(lt + 1); 1123 fttag = lttag + 1; 1124 if (peer_addr != NULL) 1125 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t)); 1126 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t)); 1127 initch = (sctp_chunk_hdr_t *)(iack + 1); 1128 init = (sctp_init_chunk_t *)(initch + 1); 1129 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch)); 1130 *iackpp = iack; 1131 *recv_adaption = 0; 1132 1133 /* Check the timestamp */ 1134 diff = lbolt64 - ts; 1135 if (diff > *lt && (init->sic_inittag != sctp->sctp_fvtag || 1136 iack->sic_inittag != sctp->sctp_lvtag)) { 1137 1138 uint32_t staleness; 1139 1140 staleness = TICK_TO_USEC(diff); 1141 staleness = htonl(staleness); 1142 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE, 1143 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE); 1144 1145 dprint(1, ("stale cookie %d\n", staleness)); 1146 1147 return (-1); 1148 } 1149 1150 /* Check for attack by adding addresses to a restart */ 1151 bcopy(insctph, &ports, sizeof (ports)); 1152 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP) != 1) { 1153 return (-1); 1154 } 1155 1156 /* Look for adaptation code if there any parms in the INIT chunk */ 1157 if ((initplen >= sizeof (sctp_parm_hdr_t)) && 1158 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen, 1159 &sctp->sctp_rx_adaption_code) == 0)) { 1160 *recv_adaption = 1; 1161 } 1162 1163 /* Examine tie-tags */ 1164 1165 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) { 1166 if (sctp->sctp_state == SCTPS_ESTABLISHED && 1167 init->sic_inittag == sctp->sctp_fvtag && 1168 iack->sic_inittag == sctp->sctp_lvtag && 1169 *fttag == 0 && *lttag == 0) { 1170 1171 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n", 1172 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1173 (int)(sctp->sctp_fport))); 1174 return (-1); 1175 } 1176 1177 if (init->sic_inittag != sctp->sctp_fvtag && 1178 iack->sic_inittag != sctp->sctp_lvtag && 1179 *fttag == sctp->sctp_fvtag && 1180 *lttag == sctp->sctp_lvtag) { 1181 int i; 1182 1183 /* Section 5.2.4 case A: restart */ 1184 sctp->sctp_fvtag = init->sic_inittag; 1185 sctp->sctp_lvtag = iack->sic_inittag; 1186 1187 sctp->sctp_sctph->sh_verf = init->sic_inittag; 1188 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 1189 1190 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 1191 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1192 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 1193 sctp->sctp_fcsn = sctp->sctp_lastacked; 1194 1195 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1196 sctp->sctp_state = SCTPS_ESTABLISHED; 1197 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1198 } 1199 1200 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n", 1201 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1202 (int)(sctp->sctp_fport))); 1203 /* reset parameters */ 1204 sctp_congest_reset(sctp); 1205 1206 /* reset stream bookkeeping */ 1207 sctp_instream_cleanup(sctp, B_FALSE); 1208 1209 sctp->sctp_istr_nmsgs = 0; 1210 sctp->sctp_rxqueued = 0; 1211 for (i = 0; i < sctp->sctp_num_ostr; i++) { 1212 sctp->sctp_ostrcntrs[i] = 0; 1213 } 1214 /* XXX flush xmit_list? */ 1215 1216 return (0); 1217 } else if (init->sic_inittag != sctp->sctp_fvtag && 1218 iack->sic_inittag == sctp->sctp_lvtag) { 1219 1220 /* Section 5.2.4 case B: INIT collision */ 1221 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1222 if (!sctp_initialize_params(sctp, init, iack)) 1223 return (-1); /* Drop? */ 1224 sctp->sctp_state = SCTPS_ESTABLISHED; 1225 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1226 } 1227 1228 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n", 1229 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1230 (int)(sctp->sctp_fport))); 1231 1232 return (0); 1233 } else if (iack->sic_inittag != sctp->sctp_lvtag && 1234 init->sic_inittag == sctp->sctp_fvtag && 1235 *fttag == 0 && *lttag == 0) { 1236 1237 /* Section 5.2.4 case C: late COOKIE */ 1238 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n", 1239 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1240 (int)(sctp->sctp_fport))); 1241 return (-1); 1242 } else if (init->sic_inittag == sctp->sctp_fvtag && 1243 iack->sic_inittag == sctp->sctp_lvtag) { 1244 1245 /* 1246 * Section 5.2.4 case D: COOKIE ECHO retransmit 1247 * Don't check cookie lifetime 1248 */ 1249 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n", 1250 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1251 (int)(sctp->sctp_fport))); 1252 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1253 if (!sctp_initialize_params(sctp, init, iack)) 1254 return (-1); /* Drop? */ 1255 sctp->sctp_state = SCTPS_ESTABLISHED; 1256 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1257 } 1258 return (0); 1259 } else { 1260 /* unrecognized case -- silently drop it */ 1261 return (-1); 1262 } 1263 } 1264 1265 return (0); 1266 } 1267 1268 /* 1269 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn 1270 * from address parameters in an INIT ACK's address list. This 1271 * function is used when an INIT ACK is received but IP's fanout 1272 * function could not find a sctp via the normal lookup routine. 1273 * This can happen when a host sends an INIT ACK from a different 1274 * address than the INIT was sent to. 1275 * 1276 * Returns the sctp_t if found, or NULL if not found. 1277 */ 1278 sctp_t * 1279 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich, 1280 uint_t ipif_seqid, zoneid_t zoneid) 1281 { 1282 int isv4; 1283 ipha_t *iph; 1284 ip6_t *ip6h; 1285 in6_addr_t dst; 1286 in6_addr_t src; 1287 sctp_parm_hdr_t *ph; 1288 ssize_t remaining; 1289 sctp_init_chunk_t *iack; 1290 uint32_t ports; 1291 sctp_t *sctp = NULL; 1292 1293 ASSERT(ich->sch_id == CHUNK_INIT_ACK); 1294 1295 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 1296 if (isv4) { 1297 iph = (ipha_t *)mp->b_rptr; 1298 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst); 1299 } else { 1300 ip6h = (ip6_t *)mp->b_rptr; 1301 dst = ip6h->ip6_dst; 1302 } 1303 1304 ports = *(uint32_t *)sctph; 1305 1306 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n", 1307 ports, SCTP_PRINTADDR(dst))); 1308 1309 /* pull out any address parameters */ 1310 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack); 1311 if (remaining < sizeof (*ph)) { 1312 return (NULL); 1313 } 1314 1315 iack = (sctp_init_chunk_t *)(ich + 1); 1316 ph = (sctp_parm_hdr_t *)(iack + 1); 1317 1318 while (ph != NULL) { 1319 /* 1320 * params have been put in host byteorder by 1321 * sctp_check_input() 1322 */ 1323 if (ph->sph_type == PARM_ADDR4) { 1324 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1), 1325 &src); 1326 1327 sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid, 1328 zoneid); 1329 1330 dprint(1, 1331 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1332 SCTP_PRINTADDR(src), (void *)sctp)); 1333 1334 1335 if (sctp != NULL) { 1336 return (sctp); 1337 } 1338 } else if (ph->sph_type == PARM_ADDR6) { 1339 src = *(in6_addr_t *)(ph + 1); 1340 sctp = sctp_conn_match(&src, &dst, ports, ipif_seqid, 1341 zoneid); 1342 1343 dprint(1, 1344 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1345 SCTP_PRINTADDR(src), (void *)sctp)); 1346 1347 if (sctp != NULL) { 1348 return (sctp); 1349 } 1350 } 1351 1352 ph = sctp_next_parm(ph, &remaining); 1353 } 1354 1355 return (NULL); 1356 } 1357